Skip to main content
CVE-2019-9585 CRITICAL POC Act Now

eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Homematic Ccu2 Firmware Homematic Ccu3 Firmware
NVD GitHub
CVSS 3.0
9.8
EPSS
2.7%
CVE-2019-9584 CRITICAL POC Act Now

eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Homematic Ccu2 Firmware Homematic Ccu3 Firmware
NVD GitHub
CVSS 3.0
9.8
EPSS
2.7%
CVE-2019-14527 CRITICAL POC Act Now

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Netgear Command Injection Mr1100 Firmware
NVD
CVSS 3.0
9.8
EPSS
2.7%
CVE-2019-15052 CRITICAL POC PATCH Act Now

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Gradle
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2019-15027 CRITICAL POC Act Now

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows attackers to execute arbitrary commands as root via shell metacharacters in a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Mediatek Command Injection Mt8163 Firmware Mt6625 Firmware +1
NVD GitHub
CVSS 3.0
9.8
EPSS
3.2%
CVE-2019-15058 CRITICAL POC Act Now

stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Information Disclosure Stb
NVD GitHub
CVSS 3.0
9.1
EPSS
2.8%
CVE-2019-1152 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Microsoft RCE Memory Corruption Windows 10 +7
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
13.1%
CVE-2019-1151 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Microsoft RCE Memory Corruption Office +8
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
15.5%
CVE-2019-1150 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Microsoft RCE Memory Corruption Windows 10 +7
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
29.1%
CVE-2019-1149 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Microsoft RCE Memory Corruption Office +8
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
13.9%
CVE-2019-1145 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Microsoft RCE Windows 10 Windows 7 +6
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
13.1%
CVE-2019-1144 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft RCE Windows 10 Windows 7 Windows 8 1 +5
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
13.1%
CVE-2019-14216 HIGH POC PATCH This Week

An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP WordPress CSRF Wp Svg Icons
NVD
CVSS 3.0
8.8
EPSS
0.8%
CVE-2019-12104 HIGH POC PATCH This Week

The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.0
8.8
EPSS
4.7%
CVE-2019-15050 HIGH POC This Week

An issue was discovered in Bento4 1.5.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Bento4
NVD GitHub
CVSS 3.0
8.8
EPSS
1.5%
CVE-2019-15049 HIGH POC This Week

An issue was discovered in Bento4 1.5.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Bento4
NVD GitHub
CVSS 3.0
8.8
EPSS
1.5%
CVE-2019-15048 HIGH POC This Week

An issue was discovered in Bento4 1.5.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Bento4
NVD GitHub
CVSS 3.0
8.8
EPSS
1.4%
CVE-2019-15047 HIGH POC This Week

An issue was discovered in Bento4 1.5.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Bento4
NVD GitHub
CVSS 3.0
8.8
EPSS
1.5%
CVE-2019-13030 HIGH POC This Week

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Neo Server
NVD GitHub
CVSS 3.1
8.2
EPSS
1.9%
CVE-2019-9583 HIGH POC This Week

eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Homematic Ccu3 Firmware Homematic Ccu2 Firmware
NVD GitHub
CVSS 3.1
8.2
EPSS
1.9%
CVE-2019-14526 HIGH POC This Week

An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Netgear CSRF Mr1100 Firmware
NVD
CVSS 3.0
8.1
EPSS
0.7%
CVE-2019-15062 HIGH POC PATCH This Week

An issue was discovered in Dolibarr 11.0.0-alpha. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dolibarr Erp Crm
NVD GitHub
CVSS 3.0
8.0
EPSS
0.6%
CVE-2019-1170 HIGH POC PATCH This Week

An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. Rated high severity (CVSS 7.9), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Windows 10 Windows Server 2016 Windows Server 2019
NVD Exploit-DB
CVSS 3.1
7.9
EPSS
2.4%
CVE-2019-9582 HIGH POC This Week

eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Homematic Ccu2 Firmware
NVD GitHub
CVSS 3.0
7.5
EPSS
2.4%
CVE-2019-15046 HIGH POC This Week

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Zoho Manageengine Servicedesk Plus
NVD
CVSS 3.1
7.5
EPSS
5.3%
CVE-2019-14975 HIGH POC This Week

Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_chartorune in fitz/string.c because pdf/pdf-op-filter.c does not check for a missing string. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Mupdf
NVD
CVSS 3.0
7.1
EPSS
1.1%
CVE-2019-15053 MEDIUM POC This Month

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atlassian Html Include And Replace Macro
NVD GitHub
CVSS 3.0
6.8
EPSS
1.3%
CVE-2019-14427 MEDIUM POC This Month

XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch under the Branches button that sets the notes parameter with crafted JavaScript code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ultimate Loan Manager
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
1.0%
CVE-2019-14974 MEDIUM POC THREAT This Month

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sugarcrm
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
31.0%
CVE-2019-1226 CRITICAL PATCH Act Now

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Windows 10 Windows Server 2016 Windows Server 2019
NVD
CVSS 3.1
9.8
EPSS
7.6%
CVE-2019-1222 CRITICAL PATCH Act Now

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Windows 10 Windows Server 2016 Windows Server 2019
NVD
CVSS 3.1
9.8
EPSS
7.6%
CVE-2019-1213 CRITICAL PATCH Act Now

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Microsoft RCE Memory Corruption Windows Server 2008
NVD
CVSS 3.1
9.8
EPSS
4.2%
CVE-2019-1212 CRITICAL PATCH Act Now

A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Microsoft Memory Corruption Windows 10 Windows 7 +6
NVD
CVSS 3.1
9.8
EPSS
6.7%
CVE-2019-1205 CRITICAL PATCH Act Now

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft RCE Office Office 365 Proplus Office Online Server +1
NVD
CVSS 3.1
9.8
EPSS
4.0%
CVE-2019-1182 CRITICAL PATCH Act Now

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Windows 10 Windows 7 Windows 8 1 Windows Rt 8 1 +4
NVD
CVSS 3.1
9.8
EPSS
12.9%
CVE-2019-1181 CRITICAL PATCH Act Now

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an unauthenticated attacker connects to the target system using RDP and sends. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Windows 10 Windows 7 Windows 8 1 Windows Rt 8 1 +4
NVD
CVSS 3.1
9.8
EPSS
75.2%
CVE-2019-12103 CRITICAL PATCH Act Now

The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

TP-Link Command Injection M7350 Firmware
NVD
CVSS 3.0
9.8
EPSS
3.4%
CVE-2019-0736 CRITICAL PATCH Act Now

A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Microsoft RCE Memory Corruption Windows 10 +6
NVD
CVSS 3.1
9.8
EPSS
4.0%
CVE-2019-12262 CRITICAL Act Now

Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Control in the RARP client component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Vxworks Hirschmann Hios Garrettcom Magnum Dx940E Firmware Ruggedcom Win7000 Firmware +3
NVD
CVSS 3.1
9.8
EPSS
4.1%
CVE-2019-11652 CRITICAL Act Now

A potential authorization bypass issue was found in Micro Focus Self Service Password Reset (SSPR) versions prior to: 4.4.0.3, 4.3.0.6, and 4.2.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Netiq Self Service Password Reset
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2019-15025 CRITICAL Act Now

The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Ninjaforms
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2019-0345 CRITICAL Act Now

A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview), versions 7.30, 7.31, 7.40, 7.50, by sending a specially crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java SSRF SAP Netweaver Application Server Java
NVD
CVSS 3.0
9.8
EPSS
2.3%
CVE-2019-0344 CRITICAL KEV THREAT Act Now

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP Deserialization Commerce Cloud
NVD
CVSS 3.1
9.8
EPSS
7.1%
CVE-2019-1153 MEDIUM POC PATCH This Month

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Microsoft Information Disclosure Office Windows 10 +7
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
2.8%
CVE-2019-1148 MEDIUM POC PATCH This Month

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Microsoft Information Disclosure Office Windows 10 +7
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
2.8%
CVE-2019-1258 HIGH PATCH This Week

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Information Disclosure Active Directory Authentication Library Nuget
NVD
CVSS 3.0
8.8
EPSS
3.8%
CVE-2019-1229 HIGH PATCH This Week

An elevation of privilege vulnerability exists in Dynamics On-Premise v9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Dynamics 365
NVD
CVSS 3.0
8.8
EPSS
3.5%
CVE-2019-1183 HIGH PATCH This Week

This information is being revised to indicate that this CVE (CVE-2019-1183) is fully mitigated by the security updates for the vulnerability discussed in CVE-2019-1194. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Windows 10 Windows 7 Windows 8 1 Windows Rt 8 1 +4
NVD
CVSS 3.0
8.8
EPSS
4.8%
CVE-2019-1140 HIGH PATCH This Week

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Microsoft RCE Memory Corruption Edge
NVD
CVSS 3.1
8.8
EPSS
3.8%
CVE-2019-10199 HIGH PATCH This Week

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Keycloak
NVD
CVSS 3.1
8.8
EPSS
0.5%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy